From: Jeffrey Bloss Area: Public Key Encryption To: David Chessler 19 May 95 10:19:00 Subject: Re: encrypted messages UpdReq -----BEGIN PGP SIGNED MESSAGE----- DC>> JB>Correct me if I'm wrong David, but you haven't READ any of the specific DC>> >documents/sections I've referenced... have you? Your lack of possessio DC>> Anything that is so out of step with the information that I do have DC>> suggests that it is using unreliable definitions. This is not worth my DC>> while tracking down. Exactly the answer I expected. :( Let's recap, shall we? First you say there's almost no regulation of encryption world wide, and I say you're wrong... there is. You ask for sources and I provide them, but have so far neglected or refused to provide any yourself. Now, you offhandedly dismiss my sources without so much as cursory a glance, because you say they're in conflict with yours, and by this virtue ALONE must be incorrect. An amazingly bizarre stretch of logic... My guess is you're full of hot air David. You don't HAVE anything you can call a source. You've heard something "through the grapevine", accepted it as gospel, and for whatever reason you refuse even make an attempt to see if you're right, wrong, or indifferent. And THIS mess sorta puts the icing on the cake: DC>> JB>Smoke and mirrors... you conveniently deleted the part about "tightenin DC>> >restrictions", and I've never claimed the Soviet Union as evidence to DC>> Tightening? Imposing where none had been. And that's in the soviet union DC>> they didn't have operative and applicable law, in a country that had DC>> previously licensed typewriters. Comeon David... you're splitting non-existent hairs. :( Admit it, regulations on encryption ARE tightening. Even here at home there's factions working hard to outlaw private encryption. Lemme try another analogy... slowly this time. If you're sitting at a red light doing 0 mph, the light turns green and you accelerate to 45 mph, you have increased your speed... no? DC>> It is very easy to find obsolete laws or laws that apply in very limited DC>> circumstances, or that apply only to certain types of communications, and DC>> then say "statutes exist." Perhaps, but they are irrelevant. The fact that you've back off your former position of "There IS no law, period" also tells me you're unsure of yourself. What can I say... if you're so immobile on the subject that you refuse to even check an alternative source of information, or possibly "A" source in your case, I guess we have nothing to talk about. :( -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: -=[ Privacy Through Random Acts Of Encryption ]=- iQCVAwUBL7yo2ukStfMM4BMZAQF/ugP/QAo9IyTIj72WpSN0MovrRYZqPunqWXOF QLCnlI2kAb989o0HBBL4NMtcPD14FaAZZG26zL9N7c3Lqsg7eppocZBWAN7A44YK Ib+FlnvBPIa9FC67muJzgGUR8rUlIoaBE9hSM6jUiVLUUcmwz17mrq7Zrz58JV6O x3uPQ7ULGck= =G4JF -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Jeffrey Bloss Area: Public Key Encryption To: Alan Pugh 19 May 95 10:04:00 Subject: Re: Send/rec PGP Msg's UpdReq -----BEGIN PGP SIGNED MESSAGE----- AP>> JB> collected and analyzed. A cryptanalyst would be specifically LOOKING AP>> JB> for these name/key-ID errors, counting them, and basically tallying AP>> JB> deviations in things like frequency and length of posts using specifi AP>> if the person attempting to decrypt a message and doesn't have the AP>> public key for that person, doesn't pgp just report a 'cannot decrypt AP>> key xxxxx' message? (where xxxxx is the key's id number) at least That's exactly how it works. :) AP>> while _some_ information is better than none from the perspective of AP>> the analyst, it doesn't seem very useful unless they can get a copy But see, we're not talking about trying to decrypt messages, or even specifically identify the sender/receiver. Traffic analysis is just that... analyzing the numbers of messages, lengths, times, dates, etc. Traffic analysis is the "breadth first" part of cryptanalysis. A for instance... I'm sitting here monitoring a secure channel that uses insignificant message noise in an attempt to defeat traffic analysis. The parties using the channel post useless messages at intervals designed to maximize the effect of the S/N ratio. Let's say I'm tapping this line, not monitoring it from a "pass through" POV, so I have no idea which direction the individual messages are traveling... and lets say that the participants are using a "revolving key" method of generating noise. If everything is set up right, I have NO way to pick out the useful from the useless, and the useless messages are generated to specifically keep the message load constant... there's no real flux in the numbers of messages. Ahhhhh.... but wait. :) Every message I run through PGP gives me a number! Geeeee, that's strange, this key ID received 10 messages this week, none before, and hey... it seems to fade in and out at some sorta interval. Hmmm.... probably a fake. :) And these five keys over here. Funny how THEY seem to inversely vary in use when compared to these other five keys. This tells me I've probably isolated messages originating from one point. Look here... of the 10 "inverse" messages, five of the keys changed and five didn't last week. Hmmmmm.... Start to get the picture? With a little more time, and some more sophisticated analysis, there's a pretty good chance I can filter out nearly ALL the noise and be left with two things... a "package" of messages I can be pretty sure are legit, and the key ID's of the people they were sent to. That's what traffic analysis is all about. :) There's a LOT more you can add to the mix on either end... this is just a simple "what if" to show one way those "can only be read by XXXX" messages can be put to use. AP>> of your public (or private) key and tie it to you. if you operate on AP>> such a network with personal friends and don't post the keys used, AP>> analysis would be pretty difficult imo. of course, i could be AP>> wrong. You're not wrong, you're just not looking deep enough, or asking the right question. :) Right now, for this purpose, I really don't CARE who sent the messages, who they were intended for, or what's in them. That sorta stuff can be figured out later. But first, I have to cut away the dead wood. ;) Having a number auto-attached to each and every message speeds this process along considerably. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: -=[ Privacy Through Random Acts Of Encryption ]=- iQCVAwUBL7ylVekStfMM4BMZAQFS3gQAg1UVtVKsQT5TL+tKv1gSAomVVq1YPrzM QewmU01WHlB7gVnwYISZz4JVi8r9pldXbXxvGv6VHE+VHa5GuYQhBBjmWG7ccf+1 +PM7RKsP8De5eFUPkMp+MOfnAvVeYvuDKtIIstWz82AOARgkuy8wm3kJnOJDawPw YPI2sL2nERg= =zaVn -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718